From: "Serge E. Hallyn" <serge.hallyn@ubuntu.com>
To: Andy Lutomirski <luto@amacapital.net>
Cc: Jann Horn <jann@thejh.net>, "Serge E. Hallyn" <serge@hallyn.com>,
"Eric W. Biederman" <ebiederm@xmission.com>,
"Serge E. Hallyn" <serge.hallyn@ubuntu.com>,
lkml <linux-kernel@vger.kernel.org>,
Andrew Morgan <morgan@kernel.org>,
LXC development mailing-list
<lxc-devel@lists.linuxcontainers.org>,
Richard Weinberger <richard@nod.at>,
LSM <linux-security-module@vger.kernel.org>,
Linux API <linux-api@vger.kernel.org>,
Kees Cook <keescook@chromium.org>
Subject: Re: [PATCH RFC] Introduce new security.nscapability xattr
Date: Fri, 29 Jan 2016 01:31:51 -0600 [thread overview]
Message-ID: <20160129073151.GA23156@mail.hallyn.com> (raw)
In-Reply-To: <CALCETrV_McoPAFvXbZAOfWPpj6rMbYFZvrusVi9_yXsBXHkN0A@mail.gmail.com>
On Wed, Jan 27, 2016 at 04:36:02PM -0800, Andy Lutomirski wrote:
> On Wed, Jan 27, 2016 at 9:22 AM, Jann Horn <jann@thejh.net> wrote:
> > I think it sounds good from a security perspective.
>
> I'm a bit late to the game, but I have a question: why should this be
> keyed to the *root* uid of the namespace in particular? Certainly if
> user foo trusts the cap bits on some file, then user foo might trust
> those caps to be exerted over any namespace that user foo owns, since
> user foo owns the namespace.
... Tying it to a kuid which represents the userns->owner of any
namespace in which the capability will be honored might be fine
with me. Is that what you mean? So if uid 1000 creates a userns
mapping uids 100000-200000, and 100000 in that container puts X=pe
on /bin/foo, uid 101000 in that container runs /bin/foo with privilege
X. Uid 101000 in someone else's container does not.
Although, if I create two containers and provide them different
uidmaps, it may well be because I want them segragated and want
to minimize the changes of one container breaking out into the
other. This risks breaking that.
> But another option would be to include a list of uids and gids such
> that the cap bits on the file are trusted by any namespace that maps
> only uids and gids in the list. After all, the existence of a
> namespace with root user foo that also maps bar and baz along with a
> file with caps set means that, if baz can get to the file and
> permissions are set appropriately, then baz now owns bar (via any
> number of fs-related capabilities). So maybe bar and baz should have
> to be listed as well.
>
> But maybe this doesn't matter.
>
> In any event, at the end of the day, the right answer to all of this
> is to stop using setuid and stop using cap bits too and start using
> privileged daemons or other things that don't use the eternally
> fragile grant-privilege-on-execve mechanisms.
Heh, that's why I wrote a p9auth driver a few years ago, but it
was too early for such a thing.
next prev parent reply other threads:[~2016-01-29 7:31 UTC|newest]
Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-11-30 22:43 [PATCH RFC] Introduce new security.nscapability xattr Serge E. Hallyn
2015-11-30 23:08 ` Eric W. Biederman
2015-12-01 3:51 ` Serge E. Hallyn
2015-12-04 20:21 ` Serge E. Hallyn
2016-01-19 7:09 ` Serge E. Hallyn
2016-01-20 12:48 ` Jann Horn
2016-01-27 16:08 ` Serge E. Hallyn
2016-01-27 17:22 ` Jann Horn
2016-01-28 0:36 ` Andy Lutomirski
2016-01-29 7:31 ` Serge E. Hallyn [this message]
2016-02-29 21:38 ` Serge E. Hallyn
2016-03-02 0:00 ` Serge E. Hallyn
2016-01-20 12:14 ` Jann Horn
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20160129073151.GA23156@mail.hallyn.com \
--to=serge.hallyn@ubuntu.com \
--cc=ebiederm@xmission.com \
--cc=jann@thejh.net \
--cc=keescook@chromium.org \
--cc=linux-api@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=luto@amacapital.net \
--cc=lxc-devel@lists.linuxcontainers.org \
--cc=morgan@kernel.org \
--cc=richard@nod.at \
--cc=serge@hallyn.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).